Everybody knows by now that the password was “LOUVRE.” But the stunning theft of the French crown jewels from the world’s most-visited museum revealed a lot more than just sloppy password practices.
The Louvre heist and the museum’s muddled security strategy offer critical, and possibly surprising, lessons in cybersecurity.
As a reminder, alleged thieves stole the French crown jewels from the Louvre in a four-minute, broad-daylight heist on a Sunday morning in October. The story was fascinating enough before another piece of it broke: The password for the museum’s video surveillance system was “LOUVRE,” or at least it was in 2014, when a security audit warned that the Louvre had massive security flaws and was ripe for an attack.
The museum responded to the audit by doing almost nothing for nearly a decade. It now has a plan in place to shore up security by 2032. Whether the "LOUVRE" password changed form 2014 until 2025 is unclear. (Presumably, someone has changed it by now.) What is clear is that the Louvre had major holes in its data protection strategy, including using Windows 2000 in 2014, four years after Microsoft stopped supporting the operating system.
Eliminating cybersecurity weaknesses is impossible
The Louvre was far from alone in employing an incomplete and potentially dangerous cybersecurity strategy. The fact is that cybersecurity risks exist in every organization. They’re impossible to eliminate. The key is to know how to manage them.
There are two primary factors that come into play when assessing cybersecurity risk: the vulnerability itself and the likelihood of an attack on that vulnerability. Patching provides an example. It’s incredibly important. The Acronis Cyberthreats Report H1 2025 found that unpatched vulnerabilities accounted for 27% of all attacks on managed service providers (MSPs). Unpatched systems remain an easy target for ransomware, which claimed 70% more victims in the first half of 2025 than in the same time period in 2023 and 2024.
But it’s nearly impossible for any organization to apply every patch to every system or application as soon as the patch is available. In fact, applying patches immediately can do more harm than good in some situations, as the infamous
2024 CrowdStrike airline outage demonstrated.
Patch the most exposed systems first
A better and more practical approach is to isolate systems, applications or machines that you can’t patch immediately. For instance, never leave an internet-facing system unpatched. If a system either has a large number of users or connects to the internet (or both), patch it as quickly and frequently as possible. It’s a major attack vector.
Back-office systems and apps are different. They can go unpatched for much longer periods if they’re isolated from the internet and restricted to use only by administrators or trained and trusted personnel. It’s also a good idea to put an application or system behind multiple firewalls if you don’t plan to patch it regularly. Yes, an unpatched system is still a weak point in your infrastructure, but severely restricting access to it is an effective method of managing the risk it presents.
Migrate vulnerable systems and bury the others
The same goes for migrating systems that use outdated operating systems and apps. Budget, time and performance requirements generally don’t allow organizations to migrate everything in their infrastructures to the latest version, or even one that’s currently supported. In many industrial environments, for instance, operational technology (OT) systems still run on Windows XP, an OS that’s a quarter century old and that Microsoft hasn’t supported in more than a decade.
The same thinking applies here as it does to patching. If a system faces the internet or has a lot of users, migrate it before support ends. If it’s not practical or necessary to migrate, keep the outdated system buried behind firewalls and only accessible by trained people who absolutely need to use it. Again, you can’t eliminate every weakness in your system, but you can make it extremely difficult for attackers to reach.
When you bury vulnerable systems, you decrease the likelihood of attack. Simply put, the more likely a system is to suffer an attack, the more rigorous you need to be about patching and migrating it. You can’t eliminate vulnerabilities, but you can hide them.
A word about passwords
The bit of news that made the Louvre attack so infamous in cybersecurity circles was undoubtedly the “LOUVRE” password. But before you chuckle, consider this: According to CNET, half of all Americans have
risky password habits. About a quarter use the same password for different accounts, and it gets even crazier than that: 8% use passwords they know were compromised in a data breach. Those people could be employees in your organization or even members of your team.
There are a few steps organizations can take to
encourage healthy password practices. Security awareness training for employees is critical for starters. Multifactor authentication (MFA) is an absolute must, preferably with the use of phishing-resistant passkeys. Beyond that, organizations should consider requiring employees to use a password manager, which is far and away the safest method for creating and storing passwords.
A few other healthy password practices might come as a surprise. For starters, a password shouldn’t be a word as much as a phrase. "P@ssword1!," for instance, is generally less effective and easier to break than, say, "thisismypersonalpasswordwithdetailsnobodycouldeverguess." With a password manager, users only have to remember a single master pass phrase. The app will take care of creating other passwords.
There’s another common practice that probably doesn’t do much good: periodically changing passwords. If a password works, it works. There is no reason to change it. In fact, requiring employees to change passwords periodically can have negative consequences, including use of overly simple passwords (including gems such as "Fall2025!" followed by "Winter2025!"). And in case it’s not obvious enough already, don’t use the name of your organization as your password.
Protect your data with a smart cybersecurity plan
The details about cybersecurity practices at the Louvre should serve as a call for organizations to review their own security plans. Your data and systems are your crown jewels. You can’t make your cyber defenses infallible, but with the right strategy, you can develop a cybersecurity plan that will balance vulnerability with likelihood of attack and greatly reduce your risk of suffering a cyberattack.